If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

A Detailed Malware Removal Guide

Hi everyone! I wanted to contribute to the forum and thought this might be of use to many of the people who are having trouble removing malware from their computers. This is pretty much "Nuke 'em All" approach that I use to clean out heavily infected systems. I usually do this first then check for anything that may have been left behind. It's much easier to clean out the mass of infections than to pull them out one issue at a time (and most infections aren't noticeable if they're created properly). I currently work in PC repair and this procedure works for me in all but the very worst cases (I would say all but a few times in the last year of virus removals. Much of that may be due to the fact that I hadn't been aware of all these progams and didn't have a proper procedure down). If anyone has anything to add, feel free to post corrections and recommendations.

Optional software:
Norton Removal Tool
McAfee Removal Tool
#Note: If you are using these programs, I recommend removing them because the settings sometimes end up getting messed up by the malware or removal of malware and end up blocking internet access and/or updates for the other software we are installing.

*Step 1 - First Things First*

If possible go into normal Windows mode and follow these steps:

1. Put all the programs listed at the beginning of the tutorial on the desktop.
a. If possible install AVG, Spybot, Super Antispyware, SDFix, Rogue Remover, and CCleaner. (AVG and Super Antispyware need to be installed in Normal Windows Mode.)
b. If you cannot install these programs yet, wait until Step 2.

1. Go into Windows "Safe Mode with Networking" (Press F8 after the BIOS screen during startup)

2. Disable "System Restore" as you did in Step 1. (For some reason disabling this in Normal Mode does not always disable in Safe Mode. Not sure if it matters but I do it anyway.)

3. If you were unable to install Spybot, SDFix, Rogue Remover, and CCleaner in Normal Mode, install them now if possible.

4. Run Smitfraud Fix
a. Select option 2
b. You can allow it to clean the registry if you want but we will do that later anyway.

5. Run Combofix
a. Be careful not to click inside the window while combofix is working as it may freeze the system.
b. If Combofix reboots the system, go back into Safe Mode after the reboot.

6. Run SDFix
a. SDFix install by default to C:\SDFix
b. Click on the "RunThis.bat" file
c. When SDFix reboots the system, allow the PC to boot into Normal Mode and finish its cleaning.

*Step 3 - Normal Mode/Safe Mode (Removing the rest of it)*

#Note: These scans may be run in Safe Mode if there are problems running them in normal mode. I would recommend running them in Safe Mode if possible.

#Note: If you do not have internet access at this point go to Step 4 (3,4,5,6). If this doesn't solve the problem, run the scans you can and you may remove the malware blocking access. After you have access run the updates on all the software and rescan the PC.

#OPTIONAL: Run McAfee or Norton Removal Tools. This will allow AVG to run properly as well as keep these programs from blocking internet connectivity.

1. If you were unable to install any of the software earlier try again now.
#Note: If AVG still has trouble installing go to Step 4 (1) and reset the registry permissions first then proceed from here.

2. Run CCleaner (this will remove junk files so the virus scans will be shorter as well as remove some virus programs hiding in the temp folders.
a. Select the "Prefetch Data" box in addition to the boxes checked by default (malware hides there sometimes).
b. Click "Run Cleaner" button.

3. Run Rogue Remover (this program only checks for specific malware and runs in seconds so I run it first)

4. Run AVG, Super Antispyware, and Spybot (in any order or multiple at once if your PC can handle it.

d. Save and rename the file to "Reset.cmd" (If you cannot change the extension to ".cmd", go to "Folder Options" in the Control Panel or in the "View" menu in any Explorer window and select the "View" tab. Uncheck the "Hide extensions for known file types" box.)
e. Put this file in the same directory that "Subinacl.msi" installed to.
f. Click on the "Reset.cmd" file.

2. Clean the registry (this should get rid of popups during startup that indicate missing files such as .dll files)
a. Run CCleaner
b. Select the registry icon on the right side
c. Scan for and fix issues
#Note: CCleaner is not the best registry cleaner but it is free and already installed. Feel free to use any legitimate registry cleaner.

3. Repair Windows Update
a. Run Dial-a-Fix and select all the check boxes.
b. Run the program

6. Check your DNS
a. Go to Start>Connect To>Show all connections (or Start>Control Panel>Network Connections)
b. Right click on the network adapter you use for internet access
c. Select "Properties"
d. Select "Internet Protocol (TCP/IP)"
e. Click the "Properties" button
f. Make sure the DNS server IP address is the same as provided by your ISP or is set to automatic. (I prefer using OpenDNS servers [208.67.220.220 and 208.67.222.222] because they are usually more secure than the ISP DNS servers)

This should solve most infections. Other anti-virus/anti-spyware software can be used in addition to these free solutions but those I posted have worked very well for me. If you still think there may be junk on your system, I recommend installing free trials of reputable paid software such as Eset's NOD32, Kaspersky, and eEye's Blink and scanning with each (You can only properly use one anti-virus program at a time so uninstall each before you install a new one).

That's about it. I hope this is helpful. Let me know if I have something wrong or am missing anything.

Before I say anything critical about your post, I'd like to thank you for adding content to the forum and I'd like to be the first to encourage you to continue. If you wouldn't mind, I'd like to add my opinion to one or two points.

Optional software:
Norton Removal Tool
McAfee Removal Tool
#Note: If you are using these programs, I recommend removing them because the settings sometimes end up getting messed up by the malware or removal of malware and end up blocking internet access and/or updates for the other software we are installing.

If you're truly going for a "nuke 'em all" approach, I'd add multiple other antivirus and antispyware programs. I use appx. 10-12 antivirus/antispyware programs from boot CD that "borrows" space at the end of the partition to download definitions, then proceeds to scan outside of Windows entirely. (Safe mode is of course the next best option, and system restore points would need to be disabled in any case as you noted). This allows the programs the maximum possible freedom to remove all infected files. I recommend running that many programs simply because every single one finds something the others did not. Afterwards I also like to run HijackThis to manually clean up any obvious viral code (anything that looks really official but has randomly generated characters at the end, such as system32.dll.adsklno72). You may also wish to check C: or the Program Files folder for folders with names that contain randomly generated characters. Ctrl+C (copy) the name of the folder, delete it, then open up regedit and scan the registry for other entries by the same name. Delete each one until you've gone through the entire registry. I commend you for adding in Windows fixes for cleaning up the mess left in the aftermath! Most people forget that part.

Thanks keezle. I did mention at the end using other virus removal programs. I kind of wrote this for people without the knowledge or ability (their machine is infected) to create a boot CD with AV programs (like creating a BartPE ISO). I agree that I should have put in HijackThis, explaining researching unfamiliar files and doing a visual scan of unfamiliar programs. I usually use these procedures after everything else is done as a final go-over and if things still aren't working right. Rootkit removal with F-Secure, Rootkit Revealer and others is something else I didn't mention. I will append this tutorial with your input when I have a minute to write it all up.

But, if the machine has been compromised (owned) then it is reformat and reinstall. After all, every user has backed up their personal data and used nLite or vLite to create the latest slipstreamed version of their OS; haven't they?

EDIT:

OK, perhaps I should explain. My sequence tends to reflect the type of problems I usually encounter in my particular location and environment.

If I come across something that I recognise as spy/adware that needs a specific removal tool I will go after that first.

Most of the stuff I encounter is pretty mundane adware/spyware and the more specialist tools for these annoyances seem to do a more comprehensive job than mainstream AVs (I mean the three in #1)

I notice that HijackThis! has been mentioned? For the non-technical I would recommend using this site:

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

One tool I didn't see meantioned is called RegCleaner, I find it a very usefull program it can be found at the link below, it is an older program and the newest version I've unfortunately been unable to get to work in Vista, It condenses things from the registry in a nice easy to read fashion with assocaited programs and even will give you the location of all keys associated with the entry. Another nice feature is that it has an Add/Remove programs tab that will display EVERYTHING even the stuff that windows will not display in its Add/Remove Programs utility. It also has a Startup tab and when you remove things from the startup (msconfig) it doens't require a reboot and doesn't give you that retarded warning message after you do reboot .

I get calls like this all day however I am NOT allowed to use third party programs as you described above and only use the AV companys program that I work for.

You should be able to use HijackThis! remember that it shows questionable stuff that may or may not be malware. Typical AV products ignore these.

The two virus lookup sites should be OK as well, as Panda supports them both.

Also, some malware requires specialist tools like combofix and smitfraudfix.

CCleaner and RegCleaner should also be OK as they are really just housekeeping tools.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Nihil - Hijack this is now part of Trend Micro, you are not allowed to use it.

...

since when? I downloaded v2.02 from Download.com tonight.. and not forgetting Trend micro them selves.. http://www.trendsecure.com/portal/en...kthis/download you can still d/l 1.99 from several sources... the Analyser sites are still supported.. So I think it is still a a valid tool... IF YOU KNOW WHAT YOUR LOOKING AT..

"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr